Friday, September 14, 2012

Salted vs Unsalted

A lot of people seem to think that it's okay to use something like salted SHA-1, without any keystretching, as a password hash. The following graphic shows how many guesses an attacker would be able to make per user on a daily or monthly basis assuming that he can make either one thousand or one billion guesses per second. One thousand guesses per second indicates a password hash such as bcrypt or PBKDF2 that includes stretching to slow down the hash. One billion guesses per second is a reasonable estimate for a single iteration of MD5 or SHA-1 (depending on your hardware) .

Click for full-size

It should be obvious that salting is not enough. Even with a site that has 10 million users, an attacker can make millions of guesses per user per day against salted SHA-1* or MD5. A strong password hash literally makes password cracking a million times harder. If an attacker can only guess a handful of passwords per day, per user, then any user with a password that isn't his name, username, or on one of the worst passwords lists is probably going to be okay. There is some safety in numbers.

If an attacker targets a single account, he can still make millions of guesses per day, even with a strong password hash. There is no safety in numbers once the attacker is focused on you. Pick good passwords.

* I used SHA-1 as an example because it's common. The SHA-2 family are stronger cryptographic hashes, but they don't provide any significant benefit beyond SHA-1 for password hashing.

Edit: I'd like to point out that, for simplicity, these numbers do not factor in the number of passwords that are actually cracked along the way.

Edit #2: I expanded the graphic to include user counts of 10k, 100k, and 10M. Thank you Solar Designer for the suggestion.